Tree-root domains in a trusted AD forest are now marked as reachable through the forest root
When an Active Directory (AD) forest contained tree-root domains (a separate DNS domain), Identity Management (IdM) sometimes failed to correctly route authentication requests to the tree-root domain's domain controllers. Consequently, users from a tree-root domain failed to authenticate against services hosted in IdM. This update fixes the bug, and users from a tree-root domain can authenticate as expected in this situation.

When analyzing trust topology we fill in ipanttrustpartner value to point to the forest root. Unfortunately, the code actually uses the domain's name, not the forest root domain's name here. It works fine with child domains but doesn't work for tree-root domains within the forest. A fix would be a one-line to change how ipanttrustpartner is filled in. ipaNTTrustPartner value is then used by SSSD in IPA server mode to identify which Kerberos principal to use to talk to the trusted domain's DC.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHBA-2016-2404.html